Secure AF - A Cybersecurity Podcast
Think like a hacker. Defend like a pro.
Welcome to the Secure AF Cybersecurity Podcast — your tactical edge in the ever-evolving cyber battlefield. Hosted by industry veterans including Donovan Farrow and Jonathan Kimmitt, this podcast dives deep into real-world infosec challenges, red team tactics, blue team strategies, and the latest tools shaping the cybersecurity landscape.
Whether you're a seasoned pentester, a SOC analyst, or just breaking into the field, you'll find actionable insights, expert interviews, and unfiltered discussions with Alias team members and top-tier guests from across the cybersecurity spectrum.
Stay sharp. Stay informed. Stay Secure AF.
Secure AF - A Cybersecurity Podcast
You're Probably Not Hacked, You're Being Tracked
Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.
Got a question or comment? Message us here!
You probably haven’t been hacked, you’ve been tracked. This episode breaks down how ad tech, mobile apps, and data brokers create massive behavioral profiles without ever touching your phone’s security.
Learn how tracking really works, why it matters, and what you can actually do about it. 📱👁️📡
Watch full episodes at youtube.com/@aliascybersecurity.
Listen on Apple Podcasts, Spotify and anywhere you get your podcasts.
A lot of people talk about like, oh, we're being tracked, you know, our messages are being listened to, our phone calls are being listened to. How realistic is that?
SPEAKER_02I mean, pretty realistic, but I think people uh don't understand a lot of the mechanisms through it through what it happens. Um, there are some sources which are absolutely public, being scraped, being monitored, things like that. If I just call you directly, is somebody listening to that phone call? Likely not. Um, unless you have some sort of a really targeted surveillance against you, that you've got malware or you've got a wiretap federally or something like that, which there are a lot of federal wiretaps. Like that happens on extremely large scale. So that's a different story entirely. But I think that the most likely thing is that you're more predictable than you think.
SPEAKER_00You are now listening to the Secure AF Podcast.
SPEAKER_01All right, welcome to another episode of the Secure AF Podcast. This is episode 112. You're probably not being hacked, you're being tracked. That's what we're gonna roll with here.
SPEAKER_02So I like that we're keeping count with the podcast now. I didn't know the bad ones was.
SPEAKER_01Yeah, Sam does a good job. Yeah, that's it, and it's funny too, because I tell people all the time it's 112 episodes of Secure AF, the bi-weekly one, not counting Hickman's you know, sock brief that's the word. So yeah, welcome to episode 4365. No, uh yeah, anyway. Um, yeah, Bronze that's back out. So we were discussing last week. Um, there was a report that came out about ad-based geolocation surveillance. So we were talking about this. So there's a system, it's called Weblock. Um, it uses data from mobile apps and digital advertising um to track people's locations and behaviors at massive scale. Um, and it can monitor up to millions of devices globally using constantly updated streams of location and profile data. Um, but here's the thing, and we hear this a lot of times too. We have people that always, hey, I think my phone's been hacked. Okay, well, what's going on? And then they tell us what they mean by their phone is being hacked, and it's not necessarily the dish definition of hacking. And just like in this case, um, this isn't, yes, this data is out there, but they're not hacking phones. They're buying data from ad tech companies, um, and they're tracking movements and routines. They're identifying um a lot of different stuff. This is like historical location data that can go back like several years. Um, it's no hacking required on this. It's they're just buying access. Yeah.
SPEAKER_02Yeah, and this and this this goes out even further than this, too, where you can buy location data and all kinds of stuff as well. Um, I mean, you can buy aside from this is a huge thing that's being uncovered. Um, but you can you can buy advertising information for a long time, right? I want to geofence target my clients. I mean, that's been a thing for a long time. And you can buy that data for a decade. So, I mean, this isn't exactly super new. This is a very new insight into how deep this goes and the scale that it goes and who's using it. And this was uh from Citizen Lab. Yeah, and Citizen Lab is is awesome. I love them, they do great work. Um, but they they kind of broke the they kind of broke the story on this. Right, yeah, yeah. Um, specifically Weblock with um uh Pin Link. Sorry, they changed their name. They were a different company, they changed their name to Pen Link. Wait, they sold to Pin Link, I don't know the details, but now they're Pin Link. So um yeah, it's just uh massive correlation of advertisement data. And I want to introduce a new term to you guys too. So you've got OSINT, open source intelligence, SIGINT, signals intelligence. We're gonna call this ad int. So this is advertising intelligence because that's exactly what it is, and it would be used the exact same way.
SPEAKER_01Yeah. Oh yeah, absolutely. And it's it's it's interesting too because this kind of dives a little bit into my world too, because I'm at alias here, I'm the director of marketing, um, and I do a lot of ad int, yeah, I guess we're called. Yeah, that's right. Yeah, yeah, yeah. Um, because a lot of what I do is is it's I refer to it as it is social engineering. Advertising is social engineering, you know, because what we're trying to do is we're trying to get into the consumer's head. We're trying to figure out like what their patterns are, what their likes are, what their dislikes are. We're trying to, it's a behavioral analysis. And uh once we can figure out who they are and what they are, then we can figure out how we can reach out to them in like their language, their terms. Um, should we talk about without mentioning any names an example of that from very recently? So we uh um so not naming any names, but there may have been a trend that was going around um on on the TikToks about something. And um legitimately it is a um physical um security issue. Oh, yeah. Yeah, yeah. And uh so we and of course at Alias we do physical um risk assessments. So as part of our also our physical penetration testing that Tanner does a lot of, uh, where companies are hiring us literally to break into their facilities and then show them where those vulnerabilities are. Um, we do a lot of walk arounds where we analyze things. And so Tanner had seen something and he ran it by me and he was like, hey, you know, like I'm watching these videos and I see like 10 things they can fix immediately when you reach out to these people. And so we had the fun idea of doing a little bit of this. Um, and so what I ended up doing is I started we started researching this company um and I geo-targeted them. So I created ads. Um, and the fun part was I created ads for us that were like in their color scheme with like their call-to-action styles, imagery that would appeal to them, using their terminology, using their fonts. So basically giving something to them that made them feel comfortable because it was very recognizable. And then we just geo-targeted it to like specifically just those areas. Um, and it was pretty funny to see it because it actually worked. Yeah. So yeah. Yeah.
SPEAKER_02Um, but and this is kind of what we're talking about with the I will say though, that's actually out of a out of a hey, we could actually help. That wasn't like uh like a troll. That was legitimately like yes, oh hey, you guys should do this.
SPEAKER_01Yes, to clarify, we were trying to help. So we were just, I just thought was interesting to kind of get in that behavioral speak of like, how can I appeal to specific people with the language that they understand with the image.
SPEAKER_02And that's without even having access to this stuff.
SPEAKER_01Right. Yep. So yeah, so it's it's it's relatively easy to do this. But you know, there's let's let's go back for a second. So there's, and I know people have talked about this a lot, and this is kind of a hot take, but you know, whenever you're, you know, you're not searching on your phone, you're not typing something in, you're not texting something, you're not googling something, um, but maybe you're having just a verbal conversation out loud with somebody. And I've had this happen before where I'm having a verbal conversation with a friend of mine. We're talking about going camping, and suddenly the next day I start seeing like camping, like advertisements for like camping supplies and stuff. And even weirder, one time I was playing piano at this guy's house and suddenly started getting piano ads the next day for like sheet music and chairs and accessories and stuff. And I was like, man, we didn't even talk about that. It was we were just playing piano. So um a lot of times people will say, Oh, yeah, it's they've hacked into my phone. And no, that's not really what's happening. Really, when you're seeing these ads pop up, I know you have a different take on this, um, but it's it's just you know, you're being tracked through legitimate data pipelines. They know what your behaviors are, they know what you're looking for, they know what you're doing. So they use that to try and appeal to you. Yeah. So yeah.
SPEAKER_02No, I wouldn't say I have a different, a different take. Um, as far as the passive listening thing goes, I think that a lot of people uh have a lot of suspicion that things like that are going on. But I also feel like we would have a whole lot more proof. Um, so I'm undecided on that because I try to only work off of data that I have, right? Not as much of like anecdotes. Um what I think it may be also is that the data that's being collected, such as the things that you have sent messages about, social media posts about, the advertisements you've clicked on, the locations you've gone to, the people you've interacted with, the things that those people do, I think that maybe you're a lot more predictable than you think you are. Yeah. And I think that goes for everybody.
SPEAKER_01Oh, yeah.
SPEAKER_02So it could be that as well. It could be that as well. Um, but I I think there's there's a lot of other concerns. Um I don't mean derail, I know you have kind of a kind of a line. So go ahead. We'll we'll get to my my concerns before I start going off.
SPEAKER_01Yeah, no, we're good. Um yeah, so let's let's just kind of like let's talk about how phones actually do leak data.
SPEAKER_02Okay.
SPEAKER_01So um I'm going to mention a couple things. You just give me some ideas of what you think about. So app permissions, SDKs.
SPEAKER_02Oh, yeah, yeah, tons. Uh it depends on the SDK, right? Um, and and that's that's more like Android focused, but uh, Apple has their own equivalence. Um, so that's gonna be the actual application package that you install. So what can it access? I mean, theoretically, everything if you let it. Um, and so we've found like vulnerabilities in SDKs several times where we could actually like route the phone or where we could gain system level access. And if you have that, you can pull anything on the phone. So I'm not saying they are. Are some of them almost certainly? There's been malware found on app stores and things like that. Yeah, like it's almost certainly happened. Uh, and you get you know, permissions pop up so it says, Do you want to trust this to do cross-application tracking and things like that? And I mean, yeah, that's that's just as bad as it sounds. Yeah. Um, and I'm not sure that telling it no will always prevent it either, because there's still lots of other ways that's gonna correlate that data. So, yeah, an SDK or an application can have full access to literally everything on your phone, yeah, depending on what it does.
SPEAKER_01And I think that that also it's a great time for a little bit of a um um just note to throw out there, um, just kind of public awareness. You know, a very good reason why you should always make sure that if you're downloading apps for your phone, that it's through a legitimate source, whether it's through um Google Play or the Apple store or um the Android store, um not downloading applications through websites.
SPEAKER_02Um Yeah, and especially in this industry, in in the security industry, there's a lot of things that they don't allow in the app store, they don't put up there, and and I'm not saying they're all bad by any means. Most of those, however, are open source. And at that point, you need to be able to understand what you're looking at and look at it to know if these things are good or not. Um, you need to know what you're doing at that point. So I'm not gonna say don't ever go sideload an app, don't ever go get something offline. Like it, it it can be extremely useful. Um, but you need to really know what you're doing and understand the risk that you're putting yourself in at that point.
SPEAKER_01Right. Yeah. And I've seen this a lot of times too with apps where it's like they're on the store and then they're taken offline and now they're being distributed directly through the original creator. And it there may not be anything malicious about that, but there's that extra layer of protection, that extra layer of another development team, an unbiased party going through it and looking at it that now you're missing.
SPEAKER_02So to an extent, uh, I think the biggest the biggest safety is that you're actually getting it from the vendor. So, like if um something that's happened before is in Linux, if they generally allow mirrors. And so if you want to download the operating system from a mirror, anybody can go put up a mirror and you load up the file and it's whatever whatever file.iso, you can download it, install the operating system. I could go download that IS ISO, I could modify it, and I could put it up there, which is why you need to check hashes and check your checksums and make sure that it's actually the file that it says it is. Right. Um, so that can happen as well, where you need to make sure that you're not downloading from some alternate source that actually has modified things.
SPEAKER_01Yeah, yeah. Um, so next point so at permissions SDKs, we talked about that. Um, ad tech ecosystem. So your device, it broadcasts your location, your device ID, behavioral metadata.
SPEAKER_02I mean, I. Yeah. Yeah. Unique identifier for the phone. Mm-hmm. So, and then um whatever accounts that you're in, whatever that account is. Those accounts have profiles. So, like if you're on social media, all of your accounts have profiles where it's like your algorithm is tuned to you, and you can see like this person is a uh uh liberal democrat who likes um these types of arts and they like this type of music. And like this is all part of your algorithm. That's how it knows to serve it to you. And the ad tech has access to this data as well. That's how they know who to give ads to. They generally do this in the back end, but you can still request data on some platforms.
SPEAKER_01Yep, yep. And the third thing that I'll mention as, you know, a way that our phones do leak data is through data brokers. So, you know, they aggregate, they sell the info downstream, and that data is eventually um accessed by uh marketers, private companies, sometimes even the government.
SPEAKER_02Yeah, that law enforcement. Yep. Yeah, that's that's uh that's a big part of uh of the concerns that people should have. Yeah. Um which we can go into if you want. Uh yes. The so you historically have to have a warrant in order to pull data from a cell carrier. If you want to get a warrant and subpoena a cell carrier and you want to say, hey, I need location data of where this number was, we need triangulation data, we need to know exactly where this was during this time frame because a murder happened or something like that. And we deal with this pretty often. But what a lot of the law enforcement is now doing, like, we know that there's I've got a list I can pull up of people that we've confirmed as clients of this particular instance. Um, they are not having to get warrants because they can just go buy this data that's readily for sale and they know exactly where you've been. They know uh where what your location was, they know if it was a religious institution, they know if you've been to a protest, they know if you've been to a shooting range, they know if you've been to uh um what your friend's house is, if you know if you're involved in a relationship, you know, you're where you work, they know um what stores you go to, they know that you went to a car dealership a couple of times, like it's the they really can get granular detailed on that, and they can they can dig in extremely easy because it's a location pattern of everywhere you've been.
SPEAKER_01Yeah. So let me ask you this is buying data fundamentally different from surveillance?
SPEAKER_02Uh data is simply data, the usage is what defines what it is, I guess. So um I would say no, but it really just depends on what the intentions are.
SPEAKER_01Yeah.
SPEAKER_02But I don't necessarily think that an advertising company uh surveilling you makes it any better than the government surveilling you.
SPEAKER_01Right. Yeah. So each has their own goal. So so leading into that point, maybe a hot topic of contention, maybe we use this for the uh preview to get more listens. I don't know. Or maybe we don't, so we the we this doesn't come out, but a lot of people talk about like, oh, we're being tracked, you know, our messages are being listened to, our phone calls are being listened to. How realistic is that?
SPEAKER_02I mean, pretty realistic, but I think people uh don't understand a lot of the mechanisms through it through what it happens. Um there are some sources which are absolutely public, being scraped, being monitored, things like that. If I just call you directly, is somebody listening to that phone call? Likely not. Um, unless you have some sort of a really targeted surveillance against you, that you've got malware or you've got a wiretap federally or something like that, which there are a lot of federal wiretaps. Like that happens on an extremely large scale. So that's a different story entirely. But I think that the most likely thing is that you're more predictable than you think. Because you we know that you are this person who's done these things and has these interests and has this political affiliation. They probably know your political affiliation better than you do. Um, we know that he interacts with these people who think these things and have these interests, and they usually go to these places, but sometimes they go to these places, and there they usually do these things and they search these things. And last night at two in the morning, whenever he couldn't sleep, he was looking up this one thing, and that is usually looked up by people who do XYZ. Like it's the data that you can get through the mass data correlation is uh probably just as good, uh, if not even better. It's kind of like um there's one story I I like to tell. There was a uh lady who uh was pregnant and she was buying things through Target, and she used to get these mailers from Target. Um, and this was years ago, so it's gotten much better. But she um didn't know she was pregnant, and so she would get these mailers, and so she went to Target and she was buying things and she was checking her account and she was buying like pickles and these random things that typically happen as cravings in the early stages of pregnancy. Yeah, and they started advertising after that. They started prenatal vitamins and diapers and all these kind of things, and she was like, you know, this is really weird. Why am I getting these advertisements? Took a pregnancy test, she was pregnant.
SPEAKER_01That's wild.
SPEAKER_02Target knew that she was pregnant before she did.
SPEAKER_01That's wild.
SPEAKER_02So the data correlation can be extremely strong. Oh, yeah, yeah. And that's just talking about random cravings.
SPEAKER_01Like, yeah, yeah, we talk about human behavior and and everyone is unique to an extent. It's like when we look at from a marketing aspect, um, we look at basically creating buckets. So if we're creating like personas um to advertise to, um, you know, it it might be five to eight different personas. There could be like five to eight different buckets that everyone kind of falls into, and we don't check all the boxes necessarily, but to an extent, yeah, it's like we up we're very predictable. Um, yeah.
SPEAKER_02So I think that one thing that's really interesting talking about the malware and like going going towards security is we we always want to talk about make sure you patch your devices, make sure you have multi-factor, watch out for phishing, these things, which are like, yeah, that's good. These are these are extremely good things. But what I would be curious about is is an ad blocker just as much as a privacy feature?
SPEAKER_01You know, I I think this gives people a false sense of security because you're right, people do focus on antivirus, um, but they really do ignore data exposure.
SPEAKER_02Yeah, maybe you need to be turning off location data and you need to be using a pie hole on your home network, and you actually need to be really hammering down on on you know fighting advertisements. Yeah.
SPEAKER_01Well, and also like on the phone, so this is slight tangent sideways, but just in case anyone else didn't know this either. Um, you've talked before about, hey, you know, the Apple iPhone's pretty strong out of the box. You know, if you're in public, if you're wanting to make sure that you're being safe, um, turn off Wi-Fi, turn off Bluetooth. And that's basically it, right?
SPEAKER_02Um, yeah, I generally think you're fine to leave them on too. It depends on what you mean, right? So we're not talking about being hacked in malware and things like that. I think that that's generally fine. The most you're gonna get is something annoying. Yeah, if anybody has a zero day where it by you having Bluetooth enabled on your phone, they can hack your phone. They're probably going to take the $1.2 million from Apple that they get as a bug bounty from that. Right. They're probably not going to hack some random person at a coffee shop with it.
SPEAKER_01Oh, right. Yeah, yeah. And I think that's the thing. People are like, oh, I'm being targeted, you know.
SPEAKER_02I think that you you're generally fine with things like that. Yeah. Um, but could there be uh large companies like maybe Starbucks going with coffee shops? Maybe they keep track of everybody who joins the SSID. I don't know, but I would if I was them. Yeah. I mean, I think that there's there's a lot of there's a lot of things like that for privacy why you might want to do it. And I think for the security of your phone, generally you're fine to leave stuff enabled. I think that you are generally fine. Uh the biggest thing is not installing random crap on your phone and not uh accepting, you know, messages and random stuff from people. Where you end up clicking on links maliciously and all that sort of stuff.
SPEAKER_01Right. Yeah. The point I was kind of getting to was the fact that I had thought that if you flick down the menu and turn off Bluetooth, Bluetooth is off. It doesn't. And it's not. It's like a lot of people think that. They think that if you just flick it down, turn off Bluetooth, Bluetooth is turned off. You start BLE spamming me out. It's like I've got Bluetooth turned off. You're like, you don't. And it's like, oh no. You have to actually go into the Bluetooth and the settings, turn it off. It's it's not as easy as just flick that just disconnects your devices. Right. Yeah. So okay, so we have this false sense of security because people are focusing on antivirus, they're ignoring data exposure. Um, this brings about an expansion of the attack surface. So data can be weaponized, um, social engineering, physical targeting, stalking, doxing. Yeah.
SPEAKER_02Yeah. No, you're yeah, you're you're absolutely right. I mean, um, if you have access to buy uh, you know, this level of of advertisement data, doxing people's probably pretty insignificant. I mean, uh, I think the the biggest thing is that they're keeping their customer list to it's not necessarily bad people you want to to have it, but they're they're not giving it out to everybody at this point. We we've can or Citizen Lab confirmed ICE is using it, US t US military organizations, uh Texas DPS, a bunch of local police departments, a bunch of district attorneys, um, some other uh countries, uh El Salvador National Police, Hungarian intelligence services, I'm sure most of our intelligence services, why would they not? Um So I I think the biggest thing is preventing them from being a huge issue whenever it does come to stalking and that sort of stuff is um is gonna be the fact that the data's a little bit exclusive right now. Now, how long until that gets out, I don't know.
SPEAKER_01Right. Well, and what's to stop this from becoming part of a ransomware attack and now that data is all out there. Exactly. Exactly. Yeah. So let's talk about all right, let's talk about actions that we could take. So practical defense. Um, what are some like high impact steps and things that you can do?
SPEAKER_02Um actually, oh I gotta I gotta lead into that kind of thing. Okay, all right. So um why what I'll say I want to tell you what I think about this as a red teamer. So if I can get location, can I verify an employee's identity before I do a social engineering attack? If I can get their identity, can then I get other people's can I target an executive? Can can I figure out things about that executive that would assist me in the social engineering? Um, can I find patterns in the things that they do to set up an attack easier? Hey, this person always goes to this coffee shop. I'm gonna sit up there with a Wi-Fi pineapple. Um, can I find travel patterns? Every third Tuesday they fly here or something like that, and I can try to, you know, source my attacks out at that point. Um if they are at a data center or something like that, you know, it's looking at IT people or they go to this data center sometime. I bet you they have stuff there. You can know where to target. Yeah.
SPEAKER_01Um it's it's any any gathering OSINT by following someone around.
SPEAKER_02And a lot of large organizations have covert facilities too, right? Where it's it's this is what they they don't want everybody to know, their infrastructures here. It could easily reveal all those. Yeah. So as far as a a business level, there's massive concern from from employees that are just having their phones doing normal stuff.
SPEAKER_01Yeah. It's wild.
SPEAKER_02So how do you protect against that?
SPEAKER_01Yeah, so how do you protect against that? Well, first thing I'll throw on is you know, disable ad tracking, which I would hate, honestly, as a marketer, but you know, let's be real, if you wanna um start um ways to disable this, yeah, ad tracking, reset your advertising ID. Um and this is something that I've actually done a lot of too, just because I hate the way my phone battery drains all the time, but limiting location access. You know, don't have it where you you you don't need Spotify to know where your location is at all times, you know. There's apps that doesn't that don't need to know where you are. So if you have an app that does require um location tracking, um, you know, set it to like while using or something similar to that. So yeah. Um probably good security hygiene to just remove unused apps as well. Um prefer privacy-focused apps. Um, and then you know, avoiding unnecessary permissions. So whether that's like, you know, Bluetooth permissions. I mean, how many times do you see now like I will go to open up an app and I don't know why, but it's like, hey, do you want me to find Bluetooth devices in your area? And it's wild when you're doing it at home because then you're seeing like a map that's showing like all the Bluetooth devices of your neighbors and everyone within a radius um with the names of those devices. And so, yeah, contacts, um, you know, et cetera, just you know, permissions. Yeah. So um, what are some other things that you would suggest?
SPEAKER_02Um, looking into something like a pie hole for your home network, it's going to filter out all of your advertisements. Um, there are some services that can feed fake data. Uh there some of those are pretty fun. Um, or you can like there's there's one is a browser plugin where periodically you can say, like, hey, reset my advertising profile, and it'll spend the next 20 minutes just searching a ton of things you would never search and going to a bunch of websites you would never go. You can go as far as spoofing GPS data to like really mess with stuff. Um, but I think the the most practical thing for people to do is looking at ad blockers, looking at something like a pie hole for your home network. Um, this is actually I typically don't recommend VPNs, but whenever it comes through like a privacy sort of deal, really, that's possible. But at the same time, now all of your data lies with the VPN provider, so you have to hope that they're good.
SPEAKER_01True, probably the same with like DNS filtering too.
SPEAKER_02Yes, yeah, sure. Yeah, and a lot of the times those are one and the same.
SPEAKER_01Yeah.
SPEAKER_02Um, but the at that point also it could be like, okay, we know that they're a customer of Molad VPN. Like, you know, I mean, because they know what those IPs are, they know so so that might be a double-edged sword, but personally I do use one on my mobile phone, and I make sure I have it has blocking advertisements features on it and and things like that. Um, and you can get super crazy with it. Really, I mean, use lockdown systems that you know don't have anything in them. You know, you can go as far as I'm gonna use an Orange Pie because it doesn't use any chips that have backdoors in it, and I'm not gonna have an accelerometer in this machine, and I'm gonna do all these these things to make sure it's super bare bones and only I have this, and I'm gonna use Linux that doesn't have any kind of a tracker in it, and uh like you can really get get hardcore with it. You can get hardcore. But it just depends on how much uh practicality you're willing to put into it versus you know what's what's what's tracking you.
SPEAKER_01Right. And I'd I'd say, and I don't know, you can be your thoughts on this too, but I don't think I don't think you can fully opt out, but you can take steps to reduce your signal. Yeah, for sure. Yeah, for sure. All right, let's do it, let's do a little something fun here. We're gonna do um a lightning round here because getting back to the topic hacked versus tracked. So we're talking about a lot of instances where people are like, oh, I've been hacked because you know people are uh you know promoting products to me and they're ah, they're in my head, they're in my phone, they they're listening through the devices. Um, but okay, so no. So malware infections, hacked, not tracked. Sure. So yeah, efficient compromise. Generally hacked. Yeah, not tracked. Yeah. App collection, um, collecting location. So also not hacked.
SPEAKER_02It could be either, but most much, much more likely it's just it's just ad data.
SPEAKER_01Yeah, ads following you. Yeah, yeah, that's tracked, yeah. Um, data broker profiles also, yeah, not hacked, but tracked. And there you go. Nation state spyware. Probably hacked. There's not much you can do about that. Yeah. So um this might be a function bug for you up. Yeah. Yeah. Yeah. Um get an unplugged phone. Um, yeah, um, personally checked by alias cybersecurity. Yep. So um, yeah, so the the nation state spyware. I think that's I I think one of the things that kind of sticks out to me is people are like, oh, they're listening. You know, like, for instance, there's all these protests that happen, and regardless of what side you're on, the protests, there are probably people there that are, you know, analyzing things and keeping an eye on things and trying to see what's going on. And so um, you were telling me a little bit about the stingray. Yeah. Um, but that's not like a it doesn't work like in the movies where it's like, oh, in real time, they're capturing all this data and they know exactly what you're saying, right?
SPEAKER_02Yeah, yeah. Yes and no. Like, I mean, anything that's happening through like a level of of encapsulation and encryption is going to be harder for them to see, but they can definitely get especially like SMS messages that aren't like an iMessage or like a signal or something like that. Right. Um, so they have a have a device called a Stingray, which is basically a rogue cell tower. Uh, and so they're they can bring this out to events like a protest and they can say, okay, they have they can do like what's called like a downgrade attack, where it's much easier to do this on 4G than 5G. 5G has a lot of protections. But if your phone doesn't have 5G, it will it will negotiate down to 4G, it will negotiate down to 3G still. So you can go down down until there are really vulnerable protocols that they can use. And so this is typically what they like to do. Um, there's that's just one of the several attacks. There's many attacks they can do to try to get you to link onto the Stingray instead of the actual cell tower. And you're going through theirs. It's just like a Wi-Fi. It's just like a Wi-Fi pineapple, but but through that. Um yeah, there's a device that you can you can set up called the uh the ray hunter. You can build it with uh with an LTE hotspot, and you can flash your firmware onto it. They support a bunch of different hotspots now, and it you can take it to places and just run it, and it'll look for those patterns of attacks in the air. Uh and you can you can run a packet capture and you can analyze everything. It'll start, it'll do it live too, where it'll like pop up and say, like, you know, like flashing red bar, like, yo, there's a stingray, this device is is seeing attacks happening on the air. Um, so that's really fun to play with.
SPEAKER_01If if it identifies it, it's it's yeah, you know it's within range. Yeah, yeah.
SPEAKER_02Yeah. But yeah, yeah, if it yeah, if it identifies it, it's essentially too late.
SPEAKER_01Yeah, yeah. So all right. So, you know, closing thoughts. So, I mean, we've pretty much we've built I had a I had a question.
SPEAKER_02I had a question to ask you before we did closing thoughts. I don't know if you can tell me about it or not, but are you familiar with RTB or real-time bidding? Real-time betting for ad for ad data?
SPEAKER_01I've I've heard about it, but I've I've not looked into it now.
SPEAKER_02Um, I don't know a ton about it. We'll have to talk about it another time. But yeah, I guess there's advertising bidding on live ads. So like it goes as much as um, hey, I'll bid this much to advertise this to people who search this. And so like there might be five people who have bid on it, and if you meet their profile enough and they've bid enough, they'll get their ad served to you. So, like, if you meet a profile of like, say I have searched these things and now I'm searching wedding rings or something like that, there's like five different advertisers who are bidding to send their ad to you because it's much more likely a payoff. Something like that.
SPEAKER_01Yeah, yeah.
SPEAKER_02Kind of like with Google AdWords. Yeah, I don't know. Apparently, this is happening on a large scale. Citizen Lab was talking about it, but they didn't go into it super deep.
SPEAKER_01Hmm. Okay. We need to look into that for the next time. All right, all right. Next podcast, real-time bidding. Real time bidding, yeah. Um, yeah. So, I mean, we pretty much we've it's we can't we can't really go back. We've kind of built this world where surveillance doesn't really require hacking, it's just access to the right data feeds. Um, so what what do you think is more dangerous? Illegal hacking or illegal tracking at scale?
SPEAKER_02Well, it's not illegal. Huh? It's not illegal.
SPEAKER_01Oh, I said legal. Oh, legal, yeah, or legal.
SPEAKER_02Yeah. Um, I think an illegal hack will probably be much more damaging whenever it does happen. But I think that for 99% of people who are constantly being, you know, tracked by ad stuff, they're more impacted than the 0.1% of people who are being hacked. So I think if you're unlucky enough to fall into the line of the line of, hey, I'm actually getting hacked in a in a bad way, um, that's probably going to be worse for you than the tracking. But I think the tracking is interfering with our lives in ways that people have no idea of.
SPEAKER_01Oh, yeah. No, we're happy to have the tools and the technology in our hands, and we don't understand how much we're actually giving away with that. So um, yeah, I'd say that, you know, data tracking is making people a lot more vulnerable.
SPEAKER_02Yeah. So especially whenever you tie it into, you know, the the flock ecosystem and all the the camera stuff that's happening lately.
SPEAKER_01Yeah, I was actually going to bring that up because that's kind of like I I've that that's that's been happening here in Oklahoma a lot. And you actually were on the news doing a segment about it sometime last year. Yeah. And uh it's it's come up again the news in the last couple of weeks, and people were like complaining about it because they're like, oh, I don't want these cameras tracking us everywhere. And that's funny because you see people like also respond, you know, you have a camera in your pocket that tracks you everywhere you go. It's not the same. Yeah.
SPEAKER_02It's not the same, though. Yeah. No, the the level of of data that those are capturing is absurd. I mean, it's it's ridiculous the network that they've developed. Yeah. You won't go into a little bit more.
SPEAKER_01This is another misconception network.
SPEAKER_02It could be a whole nother a whole nother episode, but but yeah, I mean they so they're called ALPRs, automatic license plate readers. Most of the cameras that you see, it's little, it's basically got it looks like a little webcam on a solar panel that's on a post, and they're kind of standing alone, and they usually don't meet any of the standards that they need to for road signs to meet, by the way. Interesting, but I guess you know that nobody cares about that. Um because they're supposed to have safety protocols like breaking away and they don't, but I digress. Um, they they are able to monitor everything that they can see. So they have profiles on individuals walking, biking, things like that for vehicles, which is obviously the main thing. It's not just license plate, they keep a profile of vehicles. So if you don't have a license plate, they can still identify that vehicle, they can still give it a profile. Hey, this is um this is a 2012 Corolla that has a dent on the back left bumper and it has a sticker here. We know that this is a uniquely individual car. We know who this is, we know who drives it, we know where they go, we know exactly what their patterns are every single day. We know the one-offs that they do because they have enough camera for this, and they know exactly where you were seen at most recently, which is um, you know, probably yeah. But then the data, the the data of the people who have access to that. I mean, a lot more people have access to the flock data. Tons and tons of people have access to the flock data. And we've seen um also ring cameras are feeding into flock and all kinds of things now are fleeting, feeding in these networks. Not even to mention like Palantir and the larger nation networks. This is more of a smaller scale, but they've had we could we could really go into this. Uh, where they've had individuals who are doing creepy stuff. I mean, they've had people who are um they had one, I think it was an executive who got caught looking at like a bunch of like children's gymnastics cameras and like all kinds of like creepy stuff. They've had like 37 instances of officers that are committing stalking against like their ex-girlfriends and stuff like that. I mean, it's far worse. Maybe not worse. It's far worse on a smaller scale, but it's still a giant scale.
SPEAKER_01Gosh.
SPEAKER_02So that's a whole we could we could talk all day about flock.
SPEAKER_01Oh, yeah, yeah. And on the ring camera specifically, as I know we've worked, I've helped out on digital forensics cases where you know we're looking at ring camera footage to see something that happened 500 yards down the street, you know.
SPEAKER_02Yeah, and I won't I won't stick my head in the sand and say like it doesn't it hasn't ever helped solve a crime or something like that. Like there's been valid uses of it, but uh I it's it's a privacy privacy versus safety sort of deal.
SPEAKER_01Um and that's it's it's weaponized. It's like in the hands of the wrong person, it can be very detrimental.
SPEAKER_02Who is it? Benjamin Franklin that had the privacy quote. So those who value priv those who value uh safety above privacy devo deserve neither. Something like that. I probably have that wrong, but yeah, I think that's all right.
SPEAKER_01Abraham Lincoln said something about everything you see on the internet being true. Yeah, yeah. Yeah, I don't know. But yeah, so you've kind of went into this a little bit, but yeah, just maybe a final word on like, you know, going back to using like the data broker intel, like from a red team expect uh from a red team perspective, how do you see attackers using that data?
SPEAKER_02Yeah, kind of like what I was I was mentioning earlier, where I I I would use it to identify an individual, um, how I need to target to social engineer that individual. A lot of the times I'll try to find whenever somebody's gonna not be there. I'll try to like schedule a calendar invite with somebody. And whenever they say, Oh, I can't do that, I have I have something here. I'll try as like a fraudulent person, right? Like, hey, I'm part of this sales thing that you want, and I'm gonna hook you up. And can you do a meeting this time? And I'll just try to find a time that they're not there, and like that's when I know I can go break in and like say, Oh, I'm here to see so-and-so. Who I've already done all my research on that becomes a lot easier, yeah. So you can get data like that, um, find out the locations of assets, you can find out um what they're into, or if you can build a profile on somebody to spearfish them, which I've talked before about some of the spearfishing campaigns that we've done where we've really gone all in developing, yeah.
SPEAKER_01Well, I think, I think, and I don't know, this is oof. Kind of going off of that, you can spearfish, you can find like executives by you can figure out their families' patterns too, yeah, yeah, based off of stuff that they're looking up. Like if they're looking up um, you know, vacation information or like if they're looking at like toys or I answered you as a red teamer also.
SPEAKER_02Um, yeah, had I been uh a real POS attacker, I might even target the family.
SPEAKER_01Yeah.
SPEAKER_02And I might try to be hesitant to bring that up. I might try to hack I might try to go through Roblox via the child to hack the family computer. I might get an info stealer on that family computer and see if they've ever logged into their email on it. Um yeah, I I would you could do a lot.
SPEAKER_01Yeah. It's it's a scary world. But um, yeah, so the kind of going back in the closing, you know, I mean, this is this is just the world we live in. So tracking is way more common and it's more normalized than hacking is. Um, you know, your phone isn't spying on you, it's participating in the marketplace. So um just exercise, you know, safety and kind of going back to, you know, again, those bullet points of things that you can do um to um, you know, try to mitigate this a little bit, you know, um, you know, disable your ad tracking, you know, limit your location access, um, remove your unused apps. And this is good hygiene for your phone anyway. So, because it saves hard drive space, it saves battery power. Um, definitely prefer privacy-focused apps and uh avoid unnecessary permissions. Um, if you get pop-ups popping up on your phone to like give access to something, don't just like blindly click it without reading. Look and see what it actually is doing. And you might want to sacrifice a little bit of convenience for your privacy. Absolutely. We're gonna end it on that note because I can't think of a better line. So thank you everyone for listening. Um, we'll catch you next time. Thank you.
SPEAKER_00The Secure AF Podcast is a production of Alias Cybersecurity. Visit us online at aliascybersecurity.com. All rights reserved.
Podcasts we love
Check out these other fine podcasts recommended by us, not an algorithm.
